allfro
commented
7 years ago Just for clarity: not even the OAuth2Request getter stores the client's authorities for some reason.
Open allfro opened 7 years ago
allfro
commented
7 years ago Just for clarity: not even the OAuth2Request getter stores the client's authorities for some reason.
pnest
commented
7 years ago Have a bit similar trouble with this: https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java#L38-L41
Pretend we have TokenEndpointAuthenticationFilter and the user is authenticated. When request reaches this point
https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java#L143
the OAuth2Authentication contains both user and client data. And clientAuth.getName() returns user name and replace client name in this map.
Do I use this filter in incorrect way or this is design issue?
byference
commented
4 years ago I came across an same issue ? I passed the SSO Server verification,but when DefaultAccessTokenConverter#extractAuthentication is building OAuth2Authentication ,OAuth2Authentication#authenticated is false,although its construction parameters ((Authentication) user)#authenticated is true
public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
...
// user#authenticated is true
Authentication user = userTokenConverter.extractAuthentication(map);
...
// OAuth2Authentication#authenticated is false
return new OAuth2Authentication(request, user);
}
Hi again,
While I was debugging my OAuth2 endpoints I came across an issue(?) that I was wondering if anyone could provide some clarity on. Specifically, this line https://github.com/spring-projects/spring-security-oauth/blob/ec215f79f4f73f8bb5d4b8a3ff9abe15b3335866/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java#L29 in the constructor of
OAuth2Authenticationwhich selects the authorities of a user or client depending on whether the authentication request is user-based or not, respectively. When looking at theAuthenticationobject returned from theSecurityContextHolderit is apparent that the client's authorities are no where to be found. It is also apparent from the JWT token decoding that the authorities of the user are populated. This seems counterintuitive a bit. Wouldn't you want to support a use-case where a preauthorization check could check if a client has a certain role and is operated by a specific user role as well? Could anyone provide some clarity on this design decision, please :)